SVG Uploads Support <= 2.1.1 - Author+ Stored XSS via SVG
Description
The SVG Uploads Support WordPress plugin through 2.1.1 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The SVG Uploads Support WordPress plugin through 2.1.1 allows Author-level users to upload malicious SVG files leading to stored XSS.
Vulnerability
The SVG Uploads Support WordPress plugin versions through 2.1.1 does not sanitize uploaded SVG files. This vulnerability allows users with a role as low as Author to upload a malicious SVG containing XSS payloads [1].
Exploitation
An attacker must have an Author-level account or higher on the WordPress site. The attacker uploads a crafted SVG file containing JavaScript payloads via the media upload feature. When the SVG is viewed or rendered on the site, the XSS payload executes in the context of the victim's browser [1].
Impact
Successful exploitation leads to stored cross-site scripting (XSS). A victim visiting a page displaying the malicious SVG triggers the payload, which could allow session hijacking, cookie theft, or other actions within the affected WordPress site [1].
Mitigation
As of the latest reference, no official fix is available for this vulnerability; the plugin has no known fix [1]. Users should remove or replace the plugin with an alternative that properly sanitizes SVG uploads.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing sanitization of uploaded SVG files allows arbitrary JavaScript to be embedded and executed."
Attack vector
An attacker with a role as low as Author can upload a malicious SVG file containing embedded JavaScript (XSS payloads) [ref_id=1]. Because the plugin does not sanitize SVG files, the malicious content is stored on the server and executed in the browser of any user who views the uploaded SVG, leading to stored cross-site scripting [CWE-79].
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the SVG Uploads Support plugin (slug: svg-uploads-support) through version 2.1.1, where uploaded SVG files are not sanitized [ref_id=1].
What the fix does
The advisory states there is no known fix for this vulnerability [ref_id=1]. The recommended remediation would be to implement proper sanitization of uploaded SVG files, stripping out executable JavaScript (e.g., event handlers, script tags) while preserving valid SVG markup, or to restrict SVG upload capability to trusted roles only.
Preconditions
- authAttacker must have at minimum an Author-level account on the WordPress site
- configThe SVG Uploads Support plugin must be installed and active (version <= 2.1.1)
- configThe plugin must allow SVG file uploads (default behavior)
Reproduction
1. Log in to WordPress as an Author-level user. 2. Create a new post or media upload. 3. Upload an SVG file containing a malicious XSS payload, such as `
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/94954e1a-dc09-4811-b57d-b12bf69a767d/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.